Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Fine-tune Incident Review - Splunk ES

tbavarva
Path Finder
‎12-23-2019 02:03 AM

Hi All,
We are using Splunk ES app in our environment and log sources are integrated to it and I am working on to make the logs CIM compatible.

As of now, we are getting thousands of notable events in Splunk ES incident review dashboard.

While investigating the events, mostly those are false positive.

In the notable events, we could see success count is 320 and failed attempt count is 10 within a day. So it is not the correct behavior of brute force.

I also checked correlation rules associated with each event.

For example, brute force behavior correlation rule, it only considers success events count.

I need help to fine-tune these correlation rules as well as standard threshold count for all correlation rules in Splunk ES.

Could anyone please point me any document available in Splunk Docs which can fulfill my purpose?

If you have fine-tuned these rules in your environment, then you could provide your guidance.

That would be a great help.

Regards,
Tejas

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-23-2019 06:05 AM

All ES correlation searches can be (and should be) edited to suit your environment. In ES, select Configure->Content and choose "Correlation Search" from the Type dropdown. Click on the search you want to modify. Edit the search as necessary to fit your requirements. There should be a where clause containing the threshold for the notable event, but feel free to change any part of the search.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-23-2019 06:05 AM

All ES correlation searches can be (and should be) edited to suit your environment. In ES, select Configure->Content and choose "Correlation Search" from the Type dropdown. Click on the search you want to modify. Edit the search as necessary to fit your requirements. There should be a where clause containing the threshold for the notable event, but feel free to change any part of the search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

tbavarva
Path Finder
‎12-23-2019 07:10 AM

Hi @richgalloway ,
Thanks for your kind response.

base search
| xswhere failure from failures_by_src_count_1d in authentication is above medium

Can you please tell me what are these terms (failure, failures_by_src_count_1d, medium)?

Regards,
Tejas

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-23-2019 08:27 AM

IIRC, 'failure' is a field from the base search; 'failures_by_src_count_1d' is a lookup file maintained by the Extreme Search (XS) app; and 'medium' is a fuzzy measurement used by XS. The definition of "medium" will vary over time with the number of failures detected. You can change "medium" to "high" to create a higher threshold.

See https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Extremesearchreference for more information.

BTW, in ES 6.0 Extreme Search is replaced by the Machine Learning Toolkit.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

tbavarva
Path Finder
‎12-23-2019 08:56 AM

Thanks a lot @richgalloway That is what I wanted to know. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...